Device manufacturers were quick to capitalize on the rise of the Internet of Things (IoT) and the possibilities of what could be accomplished if so-called smart devices were able to communicate with one another. However, as they worked to bring these devices to market quickly, many hardware makers failed to secure them properly by doing things such as not actively encouraging users to change the default credentials of their devices. According to Security Today, experts estimate that 31bn IoT devices will be installed during 2020 which could leave both businesses and consumers at risk of attacks.
Principal security researcher at Tripwire, Craig Young has dedicated his time and efforts to securing these devices and chances are if you have an IoT device, Craig has looked into it. TechRadar Pro spoke with Craig about what led him to become a security researcher and he also provided further details regarding his recent discoveries of a vulnerable smart lock as well as a location privacy vulnerability in two of Google’s most popular consumer products.
Can you tell us a bit more about your work with Tripwire’s Vulnerability and Exposure Research Team (VERT)?
My work as a VERT Principal Security Researcher is incredibly multi-faceted and I regularly wear several hats throughout the week or even the day. My job involves staying on top of security trends at the low-level and being able to jump from one technology or role to another at a moment’s notice.
In addition to writing many remote vulnerability tests for IP360, I am regularly involved in guiding internal security policies as well as some aspects related to the secure design of Tripwire products. I also spend a lot of time just reading and experimenting. This has led me to my own research projects some of which have wound up as the subject of presentations or even classes as well-known security conferences like Black Hat, DEF CON, and SECtor.
What led you to make the switch from being an engineer to a security researcher?
Whether it was exploring the COCOT (payphones) at the mall as a preteen or showing the high school administrator how easily I could access the grading system, I’ve always been drawn to the security aspects of technology and I was simply lucky enough to be able to make this into a career.
What are the biggest security threats to IoT devices currently and how can device manufacturers make their connected products more secure?
IoT comes with many risks depending on the application, but at a general level the biggest risk from my perspective is the possible destabilization of the Internet stemming from the compromise of a major IoT vendor. An attacker who gains access to the cloud infrastructure of a popular IoT device could potentially push malicious software into homes and offices around the globe. The damage caused by a sophisticated attack of this sort could potentially eclipse that from Mirai or even WannaCry or NotPetya.
You recently discovered a vulnerability in a popular smart lock brand. Can you tell us more about what you uncovered and what led you to look into smart lock security in the first place?
On this particular smart lock, I found that the vendor had effectively left the door open to attackers. Specifically, the message queueing broker in use did not require any username or password and would allow anyone in the world to exchange messages with any lock connected to the vendor’s cloud.
By connecting to the vendor’s cloud anonymously and then unlocking my test lock, I was able to observe a cryptographic token for unlocking the door. I could then replay this message to unlock the door. I could also send other messages which would prevent someone from unlocking the door with the keypad or fingerprint reader or to keep their app disconnected indefinitely.
The way I came across this vulnerability was a bit atypical however. Rather than starting with a specific product and looking for vulnerabilities in it, I started by considering the MQTT protocol commonly used in IoT and looking for data exposures. I found this lock vendor while searching data indexed by the Shodan Internet search engine for email addresses and terms relevant to IoT. The server caught my attention because Shodan had actually locked several hundred email addresses which were sent to Shodan as MQTT topic names.
How can a hacker exploit a smart speaker to gain information on its owner and do you believe these devices pose a serious threat to users’ privacy?
One example is outlined in my older research. In that scenario, the attacker could obtain a precise geographic location of the smart speaker after anyone connected to this network loaded malicious content in a web browser either through a direct link or an embedded ad. Google resolved this issue by adding protections to prevent DNS rebinding attacks.
Other attacks I’m aware of tend to fall into two main categories: malicious applications and sending unauthorized voice commands. In the first category, several research groups have looked at various ways in which a malicious developer may be able to eavesdrop on conversations happening around the smart speaker. The second category frequently involves applied physical techniques which make it possible to interact with the speaker from outside of the home. The most effective technique in this regard seems to be the use of lasers to induce sound directly in the device’s microphone.
I’m personally not overly concerned about hackers exploiting smart speakers. It is important to be mindful about what 3rd party content you enable and what access you give the smart speaker, but at the end of the day, with the current generation of devices I am not overly concerned about individualized malicious hacking. I am far more concerned with the likelihood that the vendors themselves will exploit their access into our homes by selling gleaned information about us to advertisers or even to law enforcement.
Of all the vulnerabilities you’ve discovered, which was the most interesting and why?
From a technical perspective, my research into cryptographic flaws has been most interesting. Back in 2018, I had the opportunity to co-author The Return of Bleichenbacher’s Oracle Threat (ROBOT) along with Hanno Böck and Dr. Juraj Somorovsky. Apart from the deeply interesting technical flaws we were uncovering, this research required us to identify and coordinate between a long list of affected vendors for a disclosure on a scale I had not previously been involved in. This also led to a Pwnie Award at Black Hat that year and gave me the spark to explore other cryptography problems such as GOLDENDOODLE and Zombie POODLE which I disclosed in 2019.
What advice would you give to a business thinking about adopting IoT or other connected devices?
As with any technology adoption, businesses must weigh the potential benefits against the potential risks. Organizations also need to consider these investments within the larger context of their business and operational capabilities. Decision makers must consider the various what-if scenarios to fully understand what they are getting into with IoT. Some questions to ask include:
– What happens if X becomes unavailable?
-What happens if data from X falls into the wrong hands?
-Can an attacker on this system access or disrupt business resources?
Beyond this, there are other things to consider about the vendor and the specific security precautions they are making. Ideally, vendors should have established secure design processes including formal threat modeling, external security review, and authenticated update delivery. Unfortunately, this type of information is not generally available to most consumers, but I hope that in the future there will be independent organizations evaluating vendors based on these and other critical metrics.